Getting Caught by Phishing

By Jane Ehrhardt

Published: June 13, 2017

Kevin Warren

Last month, a global cyber-attack of ransomware, called WannaCry, struck over 60 countries in one day. In England, 40 National Health Service (NHS) facilities were infected, forcing hospitals to close emergency rooms, cancel procedures, and turn away patients. The cause was phishing.

In phishing, "a user opens an email attachment and that puts an executable file on their computer," says Kevin Warren, lead technology consultant with Keep IT Simple, a tech support and source firm. "If the computer is attached to a network, the file will start to jump around and infect any connected devices." The file releases malware that encrypts any documents on the infected computers and servers, demanding a ransom to obtain the key to unlock the files.

Though phishing has haunted the internet for decades, it has recently become more sophisticated. Now potential victims receive very authentic-looking and often personalized emails from companies they work with, people they know, and even their own staff. Many phishing emails work like the recent massive cyber-attack utilizing malware to lock down files. Others seek the release of data. Some directly scam money through deception. CEO fraud tops that list.

This phishing technique uses very targeted information mined from social media, websites, news, and even other hacks into data sources, like Yahoo, Target and Google. That information turns into a well-crafted email which references things particular to that business usually sent to someone at the practice or company with access to funds.

The email will look like it comes from the CEO or physician. "Physicians own real estate and other holdings, so they're a rich target," says Russ Dorsey, manager of information services with Kassouf & Co, a Birmingham CPA firm and healthcare consultanting group.

The email may say something about the physician being in a meeting the rest of the day and needing a transfer of a large sum to a particular account to make a down payment on property, start a merger, or something with legitimate immediacy.

"You'd think it would be difficult to fall for," Dorsey says. "But it's happened at least five times in Birmingham that I know of over the last two years. In two of them, the money was transferred." In some cases, the scammers even supply a phone number with a bogus lawyer answering to verify the transaction.

Sometimes they call first to get the information they need. "They'll say, 'Hey I'm trying to find your IT manager' or 'I'm with X and Y company' and start asking questions about how you do business, like 'Is Dr. So-and-So the one who makes real estate decisions'," Dorsey says.

Prevention comes from saying no. "If a person calls in blind, the practice policy has to be 'We don't share that information'," he says, including any current vendors or what duties each staff person performs.

One local business released their entire employee list in response to a phishing email-- including payroll information, home addresses, and social security numbers. It was classic social engineering -- manipulating someone to divulge sensitive information.

"They were asked for the information in a specially crafted email from a company presenting itself as payroll services. It was during tax time, and their human resources department dutifully sent it out," Dorsey says, emphasizing that money and patient information are not the only valuable commodities a practice holds. "Employee data contains sensitive, personal identifiers."

Cyber criminals mine through data from all aspects of people's lives to make connections and formulate very personal phishing emails. "As everything evolves, these people are going to find better ways to conceal themselves and get us to click on what they need us to click on," Warren says.

As prevention, a three-way internal control should be followed before releasing patient and employee information, as well as funds. "Meaning at least three people know the transaction is going to occur," Dorsey says. "Because so much is at-risk, including potentially hundreds of thousands of dollars in HIPAA fines."

Small practices are not immune. "Cyber-criminals know they can hit a lot more of the smaller practices, and that some will pay. You multiply a few hundred dollars 2,000 to 3,000 times and that adds up," Warren says.

Both IT experts' companies have been targets themselves. "We got an email from this CEO that we get things from all the time, and it said, 'I have this business document I want you to look at,'" Dorsey says. "With physicians, it could say 'I'm a new patient, and I have this medical record for you to look at."

If a computer does get the malware pop-up saying its files have been encrypted, physically shut off that computer immediately and call the IT techs. "It doesn't always pop up a message," Warren says.

"Sometimes it just adds a text file to your desktop that goes unnoticed for hours." Those users tend to not notice anything wrong until files become inaccessible. The solution is to keep a clean desktop screen, so new icons will be immediately spotted.

At Kassouf & Co., Dorsey makes training against phishing a game. "So if something weird happens, they feel comfortable letting the right people know," he says. Their employees get an enticing email, such as from somebody they know, a pizza coupon, or the latest news on the president. When they click on the attachment, Dorsey gets notified. "You train them to see what's usual coming from our company, like from HR, and what phishing emails can look like," he says. Companies offer this kind of phish training as a subscription. "The training needs to be lighthearted, though, because staff should want to come to you when they see something."

On average, about a fourth of every company's employees are prone to phishing. "If you sent well created emails to an organization, you can usually get 20 to 30 percent to click on the attachment," Dorsey says. "With training, a company should be able to lower the phish-prone percentage into the single digits and have employees that are almost impossible to fool."

The ongoing training keeps staff alert and staves off complacency. "When people get in autopilot mode and see something from UPS or that it's time to pay that vendor, they immediately click on the attachment," Warren says.

A simple deterrent is to look at the full email address of every sender before clicking anything. "Is that UPS email coming from UPS.com? Or is it a Gmail address or a bunch of odd characters?" Warren says. If you have doubts, call the sender at a phone number listed on their website or past invoices, not from the email. "People do not think these things can happen to them," he says. "But they do."